Shooting Range DVWA: Brute Force

Use tool: Burpsuite

Category: Tags: ,

LOW

Configure the proxy and start burpsuite to capture packets;

Enter username and password at the front end;

Click Login, you can see the packet capture in Burpsuite;

Click Send to Intruder to send the captured package to the package Intruder module for brute force cracking

Enter the Intruder module, select the attack type as Cluster bomb, and select the parameters of username and password as the blasting point;

Cluter bomb is a cross-enumeration of two dictionaries, which is suitable for cracking usernames and passwords.

After setting the payload, the dictionary can be generated from the online dictionary on the website, and kali Linux will also come with a very powerful dictionary;

Then click start attack to start cracking;

Find the results of different lengths, check the Response to know the blasting results.

From the response result, we can see that the username and password blasted out are:

username password
admin 123456
pablo letmein
1337 charley

1602470953_5f83c42931fd984028389.png

Check the source code and find that username and password are not filtered;

There is a sql injection vulnerability

Therefore, this level can also use sql injection to log in without password;

Enter admin’ # or admin’ or ‘1’=’1 in the username box to log in

MEDIUM
The brute force method at this level is the same as the low level;

It’s just that there are some more SQL character filtering than the low level.

HIGH
Configure the proxy and start burpsuite to capture packets;

Enter username and password at will in the previous paragraph;

Then check the capture situation;

See that there is an extra user_token parameter in the data packet under the HIGH level;

Token means “token”, which is a string of character strings generated by the server as an identifier for the client to make a request.

When the user logs in for the first time, the server generates a token and returns this token to the client. In the future, the client only needs to bring this token to request data without having to bring the user name and password again.

The composition of a simple token; uid (user’s unique identity), time (time stamp of the current time), sign (signature, the first few digits of the token are compressed into a certain length of hexadecimal string by a hash algorithm. Prevent token leakage).

Or Send to Intruder for brute force cracking;

Choose password and user_token as blasting points;

Choose the attack type as pitchfork;

Pitchfork-This model uses multiple payload groups. Different payload groups can be used for defined locations. The attack will iterate all the payload groups simultaneously and put the payload into each defined position. For example, if there is a dictionary at A and a dictionary at B in position, then a[1] will be attacked corresponding to b[1]. This type of attack is very suitable for different but related inputs that need to be inserted in different positions. Case. The number of requests should be the number of payloads in the smallest payload group.

Find Grep-Extract in options;

Click Refetch response to retrieve the response;

Then find user_token in the code below, select the value field value; click OK;

Find Redirections to set up redirection; select Always;

Then set the payload; payload1 still uses the password dictionary;

For payload2, select the payload type as Recursive grep;

Fill in the value of the token in the box below;

Click start attack to start blasting;

Find length and other different packages to view the response;

Get the password of admin: 123456.

IMPOSSIBLE
The packet capture found that the data packet under the impossible level still contains the token;

Also use high-level methods for blasting;

Select a package with a different length to view the response;

Found that the user has been locked, try again in 15 minutes;

It is impossible to complete the cracking because the number of failed login attempts is limited.

 

Reviews

There are no reviews yet.

Be the first to review “Shooting Range DVWA: Brute Force”

Your email address will not be published. Required fields are marked *